Is there any way to block DHCP traffic in a DLB CPE 5-20 or a DLB AP Solo? I have a PtP link setup using two CPE 5-20's, one has been flashed with AP Solo firmware, and need to block DHCP traffic between the two networks. I have not found where I can do this as of yet.

 Thanks

I'm guessing the network is currently bridged?

Would converting to a routed network work in your application? 

If you need a bridged network, we could add ebtables rules to the expert mode configuration to drop dhcp packets from going through the bridge...we'll just have to give you a config snippet.

-Matt

 Yes, it is currently bridged, and we would like to keep it that way. The links purpose is to transmit video from a network camera at one site to the recording system at the other site. In this particular situation it is much easier to accomplish the task over a bridged connection, if we can block DHCP traffic between the two. Do I need to send you a config file, or can you just send me the code I need to add? 

Can you go into expert mode, and post your current 'ebtables' section?

Once you post this, I can modify it and give you something that will work.

-Matt

 Section: ebtables
ebtables.rule.1.chain=PREROUTING
ebtables.rule.1.in=ath0
ebtables.rule.1.status=disabled
ebtables.rule.1.t.arpnat_target=ACCEPT
ebtables.rule.1.table=nat
ebtables.rule.1.target=arpnat
ebtables.rule.2.chain=POSTROUTING
ebtables.rule.2.out=ath0
ebtables.rule.2.status=disabled
ebtables.rule.2.t.arpnat_target=ACCEPT
ebtables.rule.2.table=nat
ebtables.rule.2.target=arpnat
ebtables.rule.3.chain=BROUTING
ebtables.rule.3.protocol=0x888e
ebtables.rule.3.status=enabled
ebtables.rule.3.table=broute
ebtables.rule.3.target=DROP

ebtables.status=enabled

You can add these lines to block any DCHP traffic from being passed through the bridge:

ebtables.rule.4.chain=FORWARD
ebtables.rule.4.target=DROP
ebtables.rule.4.protocol=IPv4
ebtables.rule.4.in=br0
ebtables.rule.4.ip.protocol=udp
ebtables.rule.4.ip.source_port=67:68

So your rules should now look like:

ebtables.rule.1.chain=PREROUTING
ebtables.rule.1.in=ath0
ebtables.rule.1.status=disabled
ebtables.rule.1.t.arpnat_target=ACCEPT
ebtables.rule.1.table=nat
ebtables.rule.1.target=arpnat
ebtables.rule.2.chain=POSTROUTING
ebtables.rule.2.out=ath0
ebtables.rule.2.status=disabled
ebtables.rule.2.t.arpnat_target=ACCEPT
ebtables.rule.2.table=nat
ebtables.rule.2.target=arpnat
ebtables.rule.3.chain=BROUTING
ebtables.rule.3.protocol=0x888e
ebtables.rule.3.status=enabled
ebtables.rule.3.table=broute
ebtables.rule.3.target=DROP

ebtables.rule.4.chain=FORWARD
ebtables.rule.4.target=DROP
ebtables.rule.4.protocol=IPv4
ebtables.rule.4.in=br0
ebtables.rule.4.ip.protocol=udp
ebtables.rule.4.ip.source_port=67:68

ebtables.status=enabled

This should work for you. 

One thing to keep in mind is that the new CPE skins may overwrite what you did in expert mode. So if you add these lines, then make a change in the CPE skin, it may erase these. In the AP firmware, this shouldn't be a problem though.

Let me know if that works.

-Matt

 

 I am still pulling addresses across the link. I don't know if this makes a differance or not, but I have DHCP servers running on both sides of this link. So it needs to be blocked from both directions. Here is the config.

 

# Section: ebtables
ebtables.rule.1.chain=PREROUTING
ebtables.rule.1.in=ath0
ebtables.rule.1.status=disabled
ebtables.rule.1.t.arpnat_target=ACCEPT
ebtables.rule.1.table=nat
ebtables.rule.1.target=arpnat
ebtables.rule.2.chain=POSTROUTING
ebtables.rule.2.out=ath0
ebtables.rule.2.status=disabled
ebtables.rule.2.t.arpnat_target=ACCEPT
ebtables.rule.2.table=nat
ebtables.rule.2.target=arpnat
ebtables.rule.3.chain=BROUTING
ebtables.rule.3.protocol=0x888e
ebtables.rule.3.status=enabled
ebtables.rule.3.table=broute
ebtables.rule.3.target=DROP
ebtables.rule.4.chain=FORWARD
ebtables.rule.4.in=br0
ebtables.rule.4.ip.protocol=udp
ebtables.rule.4.ip.source_port=67:68
ebtables.rule.4.protocol=IPv4
ebtables.rule.4.target=DROP

ebtables.status=enabled

 

I pasted this into the AP. Is it supposed to be pasted into both?

 Ok, I think I was missing a line...

ebtables.rule.4.chain=FORWARD
ebtables.rule.4.table=filter
ebtables.rule.4.ip.protocol=udp
ebtables.rule.4.ip.source_port=67:68
ebtables.rule.4.protocol=IPv4
ebtables.rule.4.target=DROP
ebtables.rule.4.status=enabled

Can you use this instead...

(the table=filter line was missing)

Also, take out the in=br0 line that was previously used

I just tested this, and it worked for me. Let me know if it works for you.

-Matt

 Works like a charm! Thanks Matt!

No problem... glad I could help

 I seem to have jumped the gun.

The AP is blocking dhcp coming in the wireless interface, but not going out. The camera behind the AP was not able to pull an address acroos the link, but the camera behind the CPE was able to pull an address back the other way.

Is there any way for us to add that code into the CPE?

 So far, so good! This code seems to be blocking dhcp both ways.

ebtables.rule.5.chain=INPUT
ebtables.rule.5.table=filter
ebtables.rule.5.ip.protocol=udp
ebtables.rule.5.ip.source_port=67:68
ebtables.rule.5.protocol=IPv4
ebtables.rule.5.target=DROP
ebtables.rule.5.status=enabled

My boss is on his way down there to setup the video recording system. We'llknow by this afternoon if there are any issues.

Thanks again!

What did the boss find out?

Caleb

 Everthing looks good! Thanks guys!

Good deal, let us know if you need anything else.

Caleb